How to make sure /etc/passwd is not compromised

[amd]

Hello,

I purchased a centos 8 based VPS from Contabo a few months ago, and haven't really gotten the time to get my hands on it up until now.

What looks intriguing from the session start, is that my fresh/yet-unused VPS was under constant attack during all this time . When I ssh the server (password login), I read this on my screen:

There were 332321 failed login attempts since the last successful login.

Contabo support recommended I'd switch to ssh-key based login, which I am currently trying to setup.

In fact I am far from being confident with Linux, currently learning Linux user administration, and came across /etc/passwd as I am following through a tutorial. The first question stuck in my head, is how do I know my VPS is not already compromised. This is the output I get out of

Code: Select all

cat /etc/passwd

Code: Select all

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
polkitd:x:998:996:User for polkitd:/:/sbin/nologin
unbound:x:997:995:Unbound DNS resolver:/etc/unbound:/sbin/nologin
sssd:x:996:993:User for sssd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
chrony:x:995:992::/var/lib/chrony:/sbin/nologin

Can anyone please help me detect if there's an unusual user in the list please?

I have not yet created any user myself, I'm still using the default root user provided out of the box by Contabo.

[tunk]

The passwords are stored in /etc/shadow, and /etc/passwd is readable by anyone logged in.

[TrevorH]

There are no unexpected users listed in there. That doesn't mean you aren't compromised, just that there is no additional user.

How complex was the root password? That's a fair few login attempts but I suspect that a lot of these are just skript kiddies trying well known passwords and then moving onto the next host. If you include all 26 letters, twice for upper and lower case, then add 10 for the numerals, and another 6 or so for special characters that are allowed in passwords, you get a total of 68 possible characters in any position so a 1 character password would require 68 attempts to crack it, a 2 character password would require 68*68=4624, on up to an 8 character one which would require 68^8 attempts (457,163,239 million, 457 trillion) and more complex ones still would need more brute force guesses.

OTOH, if it was 'password' then give up and reformat and reinstall. Or p4ssw0rd or any other such "disguised" real word.

[amd]

Thanks a lot for the quick reply!

The password is actually 15 characters, alpha numeric with a mixte of upper & lower case, but no special characters, and it is totally random (no meaningful words) => 62 ^ 15 = too many digits to count

In fact right below the login failed attempts message I have the date of the last successful login

There were 332321 failed login attempts since the last successful login.
Last login: Fri Jul 3 13:55:19 2020 from 90.90.171.24

Which looks a lot like a test login I did myself back in July.

I guess if the /etc/passwd file does not show any unusual user, I can assume I'm safe?

[tunk]

The last command will list the successful logins, and lastb the unsuccessful.

[BShT]

you never can assume that you are 100% safe

but you can assume you are safe by your password length and complexity


install a fail2ban and remove root access to ssh

[amd]

The "last" command returned a handful of root logins which look familiar (the dates).

lastb returned too many attempts, mainly from root user but also with other random users in between every 20 root failed attempts or so. Very helpful commands, thank you!

I'm resuming my tutorial today, I'll try to :
- remove the root user and replace it with a custom one
- disable password authentication and replace with key-based
- learn about & setup fail2ban

Thank you all for the guidance!

[amd]

According to this page https://www.fail2ban.org/wiki/index.php/MANUAL_0_8
the problem fail2ban tries to solve is

Brute-force break-in attempts are quite frequent against an SSH server and other password protected internet-services

I disabled ssh password based login, does this make fail2ban totally unnecessary? should-I really bother setting it up?

Thank you

[BShT]

you can be flooded even if you disable password ssh login

fail2ban does not hurt

[amd]

I'm asking because I was questioning whether constantly parsing the system logs on the long term could have side effects (example system slow-down).

I'll go ahead and set it up, if I get no opposite feedback in the next few days.

Thank you!